#BHEU: Attackers and Spies Merge with Evolved Attacks

The next stage for attackers is for indiscriminate attackers to hit businesses using repurposed malware, and merging with spy tactics for espionage.

Speaking to Infosecurity at Black Hat Europe, Eward Driehuis, research chief at SecureLink said that convergence is happening now, as cyber-criminals are doing Big Data analysis on their victims to determine what would be of value.

“Back in 2011 and 2012 fraudsters began engaging with spies to run queries over, it was not so black and white anymore.”

Drehuis said that from 2006 to 2013 it was organized cybercrime operated by nation state attackers, and from 2013 there was a trend of tools being used by nation states without a bespoke tool.

“We’re in the middle of that evolution” he said, adding that there were three events in the last 10 years from fraud to political hacking.

The first event was the rise of cybercrime in the financial space, where a victim would be reimbursed if they lost money. Drehuis said that to enable this, an attacker would need 1000 money mules, but in the case of the SWIFT attack on the Bangladesh bank, only four mules were needed to steal $81m.

The second event was ransomware, which he said was perfected by Gameover Zeus, as they found a way to get return on investment from a botnet. Drehuis said that before, you needed a victim, but with ransomware you throw the net wide and it is a risk for everyone and it became everyone’s issues.

The third was WannaCry and NotPetya as they used the Shadow Brokers vulnerabilities to propagate malware, but they didn’t have a way to return files to the victim and Drehuis said that the first rule of ransomware is to return the files to the victim or you get a bad reputation and people will not pay.

“What we see now is the banks know that they need to do something.” He said that retailers and healthcare also ‘get caught in the crossfire’ and he saw an evolution of ransomware to include espionage and cybercrime.

“Ransomware is nothing more than a form of extortion as they extort a business by stealing information and threatening to release it, and the hacking part is where the espionage and cybercrime skills are starting to merge,” he explained.

“I’ve seen the changes from something black and white: hackers stole your money, spies sold your secrets, but that’s not how it works anymore. The criminals are evolved, as they invested a lot of time in their tools like botnets and malware, and now they are recompiling it with new features and putting it in the wild.”

Driehuis concluded by saying that the current CISO needs to take action against these actors who use the same old spam emails and watering hole attacks, against attackers who will then be sophisticated enough to move around the network. “If you’re unable to detect them, they will do lateral movement and they have pretty good tools too.”